<html>
<head><meta charset="utf-8"><title>crates-audit · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html">crates-audit</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="136788569"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136788569" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136788569">(Oct 30 2018 at 16:34)</a>:</h4>
<p>I have a website showing an MVP of the <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> wide audit: <a href="https://crates-audit.zach297.com" target="_blank" title="https://crates-audit.zach297.com">https://crates-audit.zach297.com</a></p>



<a name="136807391"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136807391" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136807391">(Oct 30 2018 at 21:10)</a>:</h4>
<p>Any chance of sort-ability by download count?</p>



<a name="136808937"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136808937" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136808937">(Oct 30 2018 at 21:38)</a>:</h4>
<p>That's a good idea.</p>



<a name="136809379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809379">(Oct 30 2018 at 21:45)</a>:</h4>
<p>I switched my <a href="https://gitlab.com/zachreizner/crates-audit" target="_blank" title="https://gitlab.com/zachreizner/crates-audit">gitlab repo</a> to public.</p>



<a name="136809663"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809663" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809663">(Oct 30 2018 at 21:50)</a>:</h4>
<p>Currently the audit output looks like <a href="https://crates-audit.zach297.com/audit-114166018.json" target="_blank" title="https://crates-audit.zach297.com/audit-114166018.json">this</a>. There is purposefully very little information beyond what packages are depending on vulnerable crates. I wanted to keep the initial version small while we decided what was important.</p>



<a name="136809766"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809766" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809766">(Oct 30 2018 at 21:52)</a>:</h4>
<p>Does this operate on <code>Cargo.toml</code> or <code>Cargo.lock</code>? If it's the former, it might be useful to explore the full set of valid packages. E.g., if I have a dependency on <code>foo</code> version <code>0.1.0</code>, any vuln in the <code>0.1.x</code> train should be flagged since any of those versions are valid according to Cargo.</p>



<a name="136809779"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809779" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809779">(Oct 30 2018 at 21:52)</a>:</h4>
<p>it operates on the <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> index</p>



<a name="136809796"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809796" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809796">(Oct 30 2018 at 21:53)</a>:</h4>
<p>Ah, this doesn't operate on a particular crate's dependencies?</p>



<a name="136809807"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809807" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809807">(Oct 30 2018 at 21:53)</a>:</h4>
<p>It does operate on the crate dependencies.</p>



<a name="136809861"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809861" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809861">(Oct 30 2018 at 21:54)</a>:</h4>
<p>So my point is: When it's evaluating a given crate's dependencies, it should evaluate any of the versions of those dependencies which are consistent with its <code>Cargo.toml</code> file.</p>



<a name="136809871"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809871" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809871">(Oct 30 2018 at 21:54)</a>:</h4>
<p>Because, depending on the dependencies of other crates in the same build graph, any of those versions might be selected by Cargo at build time.</p>



<a name="136809877"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809877" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809877">(Oct 30 2018 at 21:54)</a>:</h4>
<p>That's an interesting line of thought.</p>



<a name="136809898"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809898" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809898">(Oct 30 2018 at 21:55)</a>:</h4>
<p>I can see it going either way. Currently the resolver in crates-audit will just use the latest version that will satisfy a dependency.</p>



<a name="136809903"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809903" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809903">(Oct 30 2018 at 21:55)</a>:</h4>
<p>Also, does the RustSec DB identify versions or version ranges?</p>



<a name="136809916"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809916" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809916">(Oct 30 2018 at 21:55)</a>:</h4>
<p>E.g., I could imagine a vuln discovered in version <code>0.1.1</code> that, in practice, also affects <code>0.1.0</code>, but RustSec doesn't say that <code>0.1.0</code> is vulnerable.</p>



<a name="136809924"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809924" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809924">(Oct 30 2018 at 21:56)</a>:</h4>
<p>RustSec uses ranges</p>



<a name="136809965"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809965" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809965">(Oct 30 2018 at 21:56)</a>:</h4>
<p>OK cool</p>



<a name="136809971"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809971" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809971">(Oct 30 2018 at 21:56)</a>:</h4>
<p>e.g. <a href="https://rustsec.org/advisories/RUSTSEC-2018-0007.html" target="_blank" title="https://rustsec.org/advisories/RUSTSEC-2018-0007.html">https://rustsec.org/advisories/RUSTSEC-2018-0007.html</a></p>



<a name="136809974"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809974" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809974">(Oct 30 2018 at 21:56)</a>:</h4>
<p>Unless a package falls in the unaffects or patches range, it's considered vuln.</p>



<a name="136809988"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136809988" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136809988">(Oct 30 2018 at 21:57)</a>:</h4>
<p>An example of a <a href="https://rustsec.org/advisories/RUSTSEC-2018-0005.html" target="_blank" title="https://rustsec.org/advisories/RUSTSEC-2018-0005.html">advisory</a> with unaffected versions.</p>



<a name="136810067"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810067" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810067">(Oct 30 2018 at 21:58)</a>:</h4>
<p>OK cool. That information should be detailed enough to figure out whether or not a <code>Cargo.toml</code> names versions which <em>could</em> be vulnerable.</p>



<a name="136810083"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810083" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810083">(Oct 30 2018 at 21:59)</a>:</h4>
<p>So my thinking on this is that it would cause a bit too much github issue traffic.</p>



<a name="136810090"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810090" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810090">(Oct 30 2018 at 21:59)</a>:</h4>
<p>Btw, I haven't implemented that part yet because I think we need to lay out a solid policy.</p>



<a name="136810113"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810113" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810113">(Oct 30 2018 at 21:59)</a>:</h4>
<p>Yeah so my thinking is that you could just modify your <code>Cargo.toml</code> to identify the patched version as the minimum.</p>



<a name="136810115"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810115" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810115">(Oct 30 2018 at 21:59)</a>:</h4>
<p>I agree it might cause some GH issue traffic.</p>



<a name="136810159"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810159" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810159">(Oct 30 2018 at 22:00)</a>:</h4>
<p>Is your thinking to have this auto-submit issues?</p>



<a name="136810172"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810172" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810172">(Oct 30 2018 at 22:00)</a>:</h4>
<p>That was what I was thinking.</p>



<a name="136810183"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810183" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810183">(Oct 30 2018 at 22:00)</a>:</h4>
<p>That's a really cool idea.</p>



<a name="136810191"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810191" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810191">(Oct 30 2018 at 22:00)</a>:</h4>
<p>But I thought that was the plan of record.</p>



<a name="136810200"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810200" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810200">(Oct 30 2018 at 22:00)</a>:</h4>
<p>I don't think there's any "record" here lol</p>



<a name="136810203"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810203" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810203">(Oct 30 2018 at 22:00)</a>:</h4>
<p>At least that I've seen.</p>



<a name="136810242"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810242" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810242">(Oct 30 2018 at 22:01)</a>:</h4>
<p>I'm referring to the post on "actionable work items" stream</p>



<a name="136810262"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136810262" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136810262">(Oct 30 2018 at 22:01)</a>:</h4>
<p>Ah, you're right. I'd forgotten that detail.</p>



<a name="136811722"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136811722" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136811722">(Oct 30 2018 at 22:29)</a>:</h4>
<p>A follow-up discussion here is about recursive dependencies. In particular, what do we do about <code>foo</code> which depends on a version of <code>bar</code> which depends on a vulnerable version of <code>baz</code>?</p>



<a name="136811826"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136811826" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136811826">(Oct 30 2018 at 22:30)</a>:</h4>
<p>It depends. Is your goal informing people of risk in their deps, or driving action on maintainer?</p>
<p>If it's informing people of risk, than you warn both <code>foo</code> and <code>bar</code>. If it's driving action for maintainers I think you complain to <code>foo</code> if there exists a version of <code>bar</code> that resolves the issue. If <code>bar</code> hasn't resolved the issue then you only complain to them.</p>



<a name="136811864"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136811864" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136811864">(Oct 30 2018 at 22:31)</a>:</h4>
<p>I think the latter makes sense. Complaining to a crate author when there's nothing they can do seems unwise from a PR and alert fatigue perspective.</p>



<a name="136811933"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136811933" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136811933">(Oct 30 2018 at 22:32)</a>:</h4>
<p>Let's say bar upgrades and is now vulnerable. Do you inform foo?</p>



<a name="136811962"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136811962" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136811962">(Oct 30 2018 at 22:33)</a>:</h4>
<p>Yes, I think so.</p>



<a name="136812014"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812014" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812014">(Oct 30 2018 at 22:34)</a>:</h4>
<p>Longer-term, it might be worth allowing individual crates to opt into more verbose warnings, e.g. via a <code>.cargo-audit</code> file.</p>



<a name="136812025"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812025" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812025">(Oct 30 2018 at 22:35)</a>:</h4>
<p>Speaking personally, there are some crates I maintain where I'd want to know about vulnerable dependencies so I could either poke their authors or take action on my own to patch the issue temporarily.</p>



<a name="136812060"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812060" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812060">(Oct 30 2018 at 22:35)</a>:</h4>
<p>On the topic of configuration, I think it would make sense to put the settings into a centralized repository rather than in the repo of the crate.</p>



<a name="136812135"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812135" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812135">(Oct 30 2018 at 22:36)</a>:</h4>
<p>For cases the author wants to opt into more verbosity, they can always just run cargo-audit themselves, right?</p>



<a name="136812150"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812150" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812150">(Oct 30 2018 at 22:37)</a>:</h4>
<p>Agreed</p>



<a name="136812242"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812242" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812242">(Oct 30 2018 at 22:38)</a>:</h4>
<p>re crate configuration: I made the design choice for crates-audit to have reproducible output. Given a <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> index commit and a rustsec advisory-db commit, the output should always be the same audit result file.</p>



<a name="136812271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812271">(Oct 30 2018 at 22:39)</a>:</h4>
<p>And then on top of that you script the github API to get the latest version of each on cron. Seems pretty good.</p>



<a name="136812272"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812272" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812272">(Oct 30 2018 at 22:39)</a>:</h4>
<p>It would slow the audit process and make it less reproducible if the results depended on commit of each crate.</p>



<a name="136812412"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812412" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812412">(Oct 30 2018 at 22:41)</a>:</h4>
<p>Also, there isn't a good mapping between crates and git repos. A published crate could possibly not even have a repo because the publisher just uploads a tarball of their source tree.</p>



<a name="136812510"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136812510" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136812510">(Oct 30 2018 at 22:42)</a>:</h4>
<blockquote>
<p>And then on top of that you script the github API to get the latest version of each on cron. Seems pretty good.</p>
</blockquote>
<p>I should note that that is the plan. As it's currently implemented, it just uses master of each. I should submit an issue...</p>



<a name="136957885"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136957885" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136957885">(Nov 01 2018 at 23:38)</a>:</h4>
<p><span class="user-mention" data-user-id="132362">@Joshua Liebow-Feeser</span> RustSec presently uses the <code>semver</code> crate's <code>VersionReq</code> for specifying versions which are or are not vulnerable, however it could probably use its own requirements with its own matcher</p>



<a name="136957890"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136957890" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136957890">(Nov 01 2018 at 23:38)</a>:</h4>
<p>and the tool itself operates on <code>Cargo.lock</code> which already has all of the transitive dependencies resolved</p>



<a name="136957901"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136957901" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136957901">(Nov 01 2018 at 23:38)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> neat re: <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> scanner!</p>



<a name="136957915"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/136957915" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#136957915">(Nov 01 2018 at 23:39)</a>:</h4>
<p>Thanks!</p>



<a name="146820674"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146820674" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146820674">(Nov 05 2018 at 20:11)</a>:</h4>
<p>I've been running the crates-audit infrastructure using gitlab's free pipelines, the free tier of google cloud, and a free cloudflare account, but the only thing I can't get for free is a proper domain for audits page. I've been hosting it on my personal projects domain, but it would be nice to put it in a proper place.</p>



<a name="146820736"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146820736" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146820736">(Nov 05 2018 at 20:12)</a>:</h4>
<p>Perhaps it could go under a subdomain of <a href="http://rustsec.org" target="_blank" title="http://rustsec.org">rustsec.org</a>? What do you think?</p>



<a name="146820800"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146820800" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146820800">(Nov 05 2018 at 20:13)</a>:</h4>
<p>What is the target audience of that page? Especially in the light of filing github or gitlab issues directly in the future?</p>



<a name="146820862"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146820862" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146820862">(Nov 05 2018 at 20:14)</a>:</h4>
<p>That's a good question.</p>



<a name="146820910"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146820910" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146820910">(Nov 05 2018 at 20:15)</a>:</h4>
<p>Mainly, I don't have code for filing issues yet, and we haven't established what the policy for something that will even be.</p>



<a name="146820919"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146820919" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146820919">(Nov 05 2018 at 20:15)</a>:</h4>
<p>Subdomain of <a href="http://rustsec.org" target="_blank" title="http://rustsec.org">rustsec.org</a> actually sounds good to me assuming we want to display it publicly. I'm not sure we do, though, and how discoverable it should be. If we want maximum discoverability we should just feed that info into <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> directly</p>



<a name="146820926"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146820926" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146820926">(Nov 05 2018 at 20:15)</a>:</h4>
<p>So the page is good for people that want to see if a crate that they are considering using currently has advisories.</p>



<a name="146821025"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821025" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821025">(Nov 05 2018 at 20:16)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> you're the owner of the <a href="http://rustsec.org" target="_blank" title="http://rustsec.org">rustsec.org</a> domain, right?</p>



<a name="146821279"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821279" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821279">(Nov 05 2018 at 20:21)</a>:</h4>
<p>In that case I'd go for a <a href="http://rustsec.org" target="_blank" title="http://rustsec.org">rustsec.org</a> subdomain as an intermediate step. It should probably be integrated with <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> after some testing and once we figure out notification policy.</p>



<a name="146821335"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821335" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821335">(Nov 05 2018 at 20:22)</a>:</h4>
<p>Yes. I can point a subdomain somewhere if you'd like</p>



<a name="146821360"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821360" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821360">(Nov 05 2018 at 20:22)</a>:</h4>
<p>Who maintains <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a>? How do you know that they want this functionality?</p>



<a name="146821468"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821468" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821468">(Nov 05 2018 at 20:24)</a>:</h4>
<p><a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> is maintained by the Infrastructure Team</p>



<a name="146821602"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821602" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821602">(Nov 05 2018 at 20:27)</a>:</h4>
<blockquote>
<p>Yes. I can point a subdomain somewhere if you'd like</p>
</blockquote>
<p>That would be cool. I'm using domain-named buckets for hosting the static content and the audit file, so I would need to confirm ownership for <a href="http://crates-audit.rustsec.org" target="_blank" title="http://crates-audit.rustsec.org">crates-audit.rustsec.org</a>: <a href="https://cloud.google.com/storage/docs/domain-name-verification" target="_blank" title="https://cloud.google.com/storage/docs/domain-name-verification">https://cloud.google.com/storage/docs/domain-name-verification</a></p>



<a name="146821671"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821671" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821671">(Nov 05 2018 at 20:28)</a>:</h4>
<p>After I create the bucket, then I need a CNAME DNS record to google storage: <a href="https://cloud.google.com/storage/docs/hosting-static-website" target="_blank" title="https://cloud.google.com/storage/docs/hosting-static-website">https://cloud.google.com/storage/docs/hosting-static-website</a></p>



<a name="146821702"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821702" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821702">(Nov 05 2018 at 20:28)</a>:</h4>
<p>cool, I can take a look in a bit</p>



<a name="146821716"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821716" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821716">(Nov 05 2018 at 20:29)</a>:</h4>
<p>Cool, we can do this whenever you like.</p>



<a name="146821752"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821752" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821752">(Nov 05 2018 at 20:29)</a>:</h4>
<p>We can also meet up in person, assuming you are in the bay area as your github says.</p>



<a name="146821803"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/146821803" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#146821803">(Nov 05 2018 at 20:30)</a>:</h4>
<p>yeah</p>



<a name="147557824"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/147557824" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#147557824">(Nov 12 2018 at 23:20)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> I can get you an extra $500 in free Google Cloud credit that will last for 1 year, if you can elaborate on what Google Cloud services you're using and what you're running on it.</p>



<a name="147557837"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/147557837" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#147557837">(Nov 12 2018 at 23:21)</a>:</h4>
<p>In fact, I could probably get this for anyone with a worthy cause, so feel free to ping me even if you're not Zach :)</p>



<a name="147557842"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/147557842" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#147557842">(Nov 12 2018 at 23:21)</a>:</h4>
<p>That's very generous <strong>Shnatsel</strong>, but I just nominated myself about an hour ago :)</p>



<a name="148740263"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740263" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740263">(Nov 28 2018 at 20:19)</a>:</h4>
<p>guess I'll drop this in here since it seems like the most relevant topic: <a href="https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912" target="_blank" title="https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912">https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912</a></p>



<a name="148740269"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740269" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740269">(Nov 28 2018 at 20:19)</a>:</h4>
<blockquote>
<p>Security vulnerabilities: which crates in <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> are affected by a vulnerable function?</p>
</blockquote>



<a name="148740403"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740403" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740403">(Nov 28 2018 at 20:21)</a>:</h4>
<blockquote>
<p>guess I'll drop this in here since it seems like the most relevant topic: <a href="https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912" target="_blank" title="https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912">https://internals.rust-lang.org/t/prototype-dev-tool-rustprazi-a-tool-to-build-an-entire-call-graph-of-crates-io/8912</a></p>
</blockquote>
<p>That does seem interesting, and also reminds me that I never made any announcements about crates-audit.</p>



<a name="148740410"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740410" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740410">(Nov 28 2018 at 20:21)</a>:</h4>
<p>I was gonna hold off until getting the domain situation worked out.</p>



<a name="148740590"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740590" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740590">(Nov 28 2018 at 20:25)</a>:</h4>
<p>let me know what you need from my end, if you'd like to use a <a href="http://rustsec.org" target="_blank" title="http://rustsec.org">rustsec.org</a> subdomain</p>



<a name="148740612"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740612" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740612">(Nov 28 2018 at 20:25)</a>:</h4>
<p>also just mentioned your project on that thread, heh</p>



<a name="148740669"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740669" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740669">(Nov 28 2018 at 20:26)</a>:</h4>
<p>I just suggested we could try to collect the relevant information in RustSec advisories to feed into their omnicallgraph and find impacted crates</p>



<a name="148740791"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740791" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740791">(Nov 28 2018 at 20:29)</a>:</h4>
<p>It was two things that I needed for the subdomain: I need to prove ownership of the subdomain to rename my google bucket, and I need you to point the subdomain's DNS info to googlestorage. Enabling cloudflare caching for all content on the subdomain would also go a long way towards keeping my bandwidth usage to the free tier.</p>



<a name="148740817"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740817" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740817">(Nov 28 2018 at 20:29)</a>:</h4>
<p>(And I recall that you use cloudflare for your DNS and caching, so it should be easy)</p>



<a name="148740881"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740881" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740881">(Nov 28 2018 at 20:30)</a>:</h4>
<p>Yeah I have Cloudflare on there already, although that was just to get an X.509 cert easily, and I saw GitHub pages now has a Let's Encrypt integration and can do that itself</p>



<a name="148740926"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740926" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740926">(Nov 28 2018 at 20:31)</a>:</h4>
<p>but uhh, whatever, can just use Cloudflare I guess</p>



<a name="148740951"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740951" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740951">(Nov 28 2018 at 20:31)</a>:</h4>
<p>last I saw GCS doesn't have a similar integration</p>



<a name="148740987"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148740987" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148740987">(Nov 28 2018 at 20:32)</a>:</h4>
<p>What is GCS in this context?</p>



<a name="148741011"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148741011" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148741011">(Nov 28 2018 at 20:32)</a>:</h4>
<p>you're talking about Google Cloud Storage, right?</p>



<a name="148741023"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148741023" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148741023">(Nov 28 2018 at 20:32)</a>:</h4>
<p>it can host content out of a bucket, and can do HTTPS with a user-provided cert</p>



<a name="148741035"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148741035" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148741035">(Nov 28 2018 at 20:33)</a>:</h4>
<p>but the only turnkey way to have Google get you an LE cert, for now, seems to be Firebase</p>



<a name="148741116"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148741116" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148741116">(Nov 28 2018 at 20:34)</a>:</h4>
<p>for something like Cloudflare it's easy enough to make a self-signed cert, upload the key to GCS, and then pin to the corresponding cert on the Cloudflare side</p>



<a name="148741325"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148741325" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148741325">(Nov 28 2018 at 20:38)</a>:</h4>
<p>Oh I see, you're talking about certificate integration with GCS. I haven't looked into that much. I was just using cloudflare's built-in SSL.</p>



<a name="148741948"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148741948" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148741948">(Nov 28 2018 at 20:47)</a>:</h4>
<p>what does GCS want to prove ownership of the (sub)domain?</p>



<a name="148741967"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148741967" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148741967">(Nov 28 2018 at 20:47)</a>:</h4>
<p>and what subdomain do you want to use? <code>(crates-)audit.rustsec.org</code>?</p>



<a name="148743500"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148743500" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148743500">(Nov 28 2018 at 21:06)</a>:</h4>
<p><a href="https://cloud.google.com/storage/docs/domain-name-verification" target="_blank" title="https://cloud.google.com/storage/docs/domain-name-verification">https://cloud.google.com/storage/docs/domain-name-verification</a></p>



<a name="148743516"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148743516" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148743516">(Nov 28 2018 at 21:06)</a>:</h4>
<p>I'm fine with <code>crates-audit.rustsec.org</code>.</p>



<a name="148743561"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148743561" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148743561">(Nov 28 2018 at 21:07)</a>:</h4>
<p>Specifically, I need to serve a specific file at <code>http://crates-audit.rustsec.org/google654255fc38b85e41.html</code></p>



<a name="148744911"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148744911" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148744911">(Nov 28 2018 at 21:25)</a>:</h4>
<p>the DV methods would probably be easiest for me... but I think you need to initiate them</p>



<a name="148744966"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148744966" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148744966">(Nov 28 2018 at 21:26)</a>:</h4>
<p>Click the gear icon , and then click Users &amp; Property Owners.<br>
Click Manage property owners, and then click Verify using a different method.<br>
Verify your property again using the new method.</p>



<a name="148745277"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148745277" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148745277">(Nov 28 2018 at 21:30)</a>:</h4>
<p>I'm not sure where this gear icon you're talking about is, but I did find the "Alternative Methods" tab in the "Webmaster Central" site that I'm using.<br>
The "Domain Name Provider" method says to add a TXT record for <a href="http://rustsec.org" target="_blank" title="http://rustsec.org">rustsec.org</a>: "google-site-verification=bDHZYm3GoFxu4yB8mBiNSUfw7fbG--6tI44bssyeIkA"</p>



<a name="148745307"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148745307" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148745307">(Nov 28 2018 at 21:31)</a>:</h4>
<p>Unclear if that verifies me for all of <code>rustsec.org</code> or just <code>crates-audit.rustsec.org</code></p>



<a name="148753024"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148753024" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148753024">(Nov 28 2018 at 23:44)</a>:</h4>
<p>I can try adding it on the subdomain first I guess?</p>



<a name="148753037"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148753037" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148753037">(Nov 28 2018 at 23:45)</a>:</h4>
<p>sure, let me know and I'll hit verify</p>



<a name="148754671"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148754671" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148754671">(Nov 29 2018 at 00:18)</a>:</h4>
<p>ok I added it to <code>crates.rustsec.org</code> <span class="emoji emoji-1f609" title="wink">:wink:</span></p>



<a name="148754683"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148754683" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148754683">(Nov 29 2018 at 00:19)</a>:</h4>
<p>(after trying <code>crates-audit.rustsec.org</code> and thinking it looked a bit long)</p>



<a name="148760071"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148760071" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148760071">(Nov 29 2018 at 02:18)</a>:</h4>
<p>The TXT record is different for <code>crates.rustsec.org</code>: <code>google-site-verification=3MmthI1MdZ9tbgUmlmAOUIvcrw32vrit2jXuDlJgjBg</code></p>



<a name="148763972"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148763972" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148763972">(Nov 29 2018 at 04:09)</a>:</h4>
<p>ok, added, might take a bit to propagate</p>



<a name="148763978"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148763978" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148763978">(Nov 29 2018 at 04:09)</a>:</h4>
<p>(since the old one might be cached)</p>



<a name="148763979"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148763979" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148763979">(Nov 29 2018 at 04:09)</a>:</h4>
<p>it seemed to work</p>



<a name="148764299"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148764299" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148764299">(Nov 29 2018 at 04:19)</a>:</h4>
<p>nice</p>



<a name="148764911"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148764911" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148764911">(Nov 29 2018 at 04:36)</a>:</h4>
<p>There also needs to be a cname for that subdomain: <a href="https://cloud.google.com/storage/docs/hosting-static-website#cname" target="_blank" title="https://cloud.google.com/storage/docs/hosting-static-website#cname">https://cloud.google.com/storage/docs/hosting-static-website#cname</a></p>



<a name="148765104"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148765104" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148765104">(Nov 29 2018 at 04:42)</a>:</h4>
<p>added as well</p>



<a name="148765316"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148765316" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148765316">(Nov 29 2018 at 04:49)</a>:</h4>
<p>looks like you probably need to make <code>allUsers</code> a <code>Storage Object Viewer</code> on the bucket perms? &lt;Error&gt;<br>
&lt;Code&gt;AccessDenied&lt;/Code&gt;<br>
&lt;Message&gt;Access denied.&lt;/Message&gt;<br>
&lt;Details&gt;<br>
Anonymous caller does not have storage.objects.list access to <a href="http://crates.rustsec.org" target="_blank" title="http://crates.rustsec.org">crates.rustsec.org</a>.<br>
&lt;/Details&gt;<br>
&lt;/Error&gt;</p>



<a name="148765580"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148765580" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148765580">(Nov 29 2018 at 04:57)</a>:</h4>
<p>Yep, I haven't set up the bucket yet so that's expected.</p>



<a name="148765594"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148765594" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148765594">(Nov 29 2018 at 04:57)</a>:</h4>
<p>(I have to make a new bucket for that domain and transfer everything over, as well as reconfigure my cloud functions to point at the new bucket)</p>



<a name="148765634"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148765634" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148765634">(Nov 29 2018 at 04:58)</a>:</h4>
<p>If you like, I think I can add you to the project on Google Cloud.</p>



<a name="148765734"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148765734" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148765734">(Nov 29 2018 at 05:01)</a>:</h4>
<p>sweet, yeah the IAM on GCP is pretty nice</p>



<a name="148767303"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148767303" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148767303">(Nov 29 2018 at 05:49)</a>:</h4>
<p>Ok, it should be up now</p>



<a name="148767713"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148767713" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148767713">(Nov 29 2018 at 06:03)</a>:</h4>
<p>And I added you as an admin to the bucket.</p>



<a name="148767880"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148767880" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148767880">(Nov 29 2018 at 06:08)</a>:</h4>
<p>nice! yeah seems to be working</p>



<a name="148767954"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148767954" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148767954">(Nov 29 2018 at 06:10)</a>:</h4>
<p>added an "Always Use https://" page rule for it too</p>



<a name="148767959"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148767959" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148767959">(Nov 29 2018 at 06:10)</a>:</h4>
<p>Nice, was just about to ask.</p>



<a name="148813267"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/148813267" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#148813267">(Nov 29 2018 at 19:49)</a>:</h4>
<p>what'd be really awesome with something like  RustPräzi  is a way to diff two different releases of the same crate</p>



<a name="152072971"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152072971" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152072971">(Dec 17 2018 at 23:38)</a>:</h4>
<p>I wonder, did <a href="https://github.com/RustSec/rustsec-crate/issues/51" target="_blank" title="https://github.com/RustSec/rustsec-crate/issues/51">https://github.com/RustSec/rustsec-crate/issues/51</a> affect crates-audit? 1000 vulnerable crates sounds like a lot. Or maybe I just don't understand the dependency resolution well enough</p>



<a name="152077371"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152077371" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152077371">(Dec 18 2018 at 01:10)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> I noticed that the cloudflare config for <a href="https://crates.rustsec.org/" target="_blank" title="https://crates.rustsec.org/">https://crates.rustsec.org/</a> has max-age  set to  7 days (604800 seconds). Crates vulnerable to RUSTSEC-2018-0009  still haven't shown up on the site because of this.</p>



<a name="152077617"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152077617" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152077617">(Dec 18 2018 at 01:17)</a>:</h4>
<p>I can look into adjusting that, however to me that sounds like something where you'd want the origin server to signal an appropriate TTL?</p>



<a name="152077664"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152077664" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152077664">(Dec 18 2018 at 01:18)</a>:</h4>
<p>I have the gcs configured to max-age=3600</p>



<a name="152077805"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152077805" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152077805">(Dec 18 2018 at 01:23)</a>:</h4>
<p>Oh, never mind, I am an idiot. The javascript still has the old <a href="http://crates-audit.zach297.com" target="_blank" title="http://crates-audit.zach297.com">crates-audit.zach297.com</a> URL hardcoded for retrieving audits</p>



<a name="152077845"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152077845" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152077845">(Dec 18 2018 at 01:24)</a>:</h4>
<p>(And I got confused between expect-ct: (which has the long max-age) and cache-control: (which is correct) headers when debugging)</p>



<a name="152077865"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152077865" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152077865">(Dec 18 2018 at 01:24)</a>:</h4>
<p>So you don't have to do anything, I'll fix it.</p>



<a name="152085973"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152085973" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152085973">(Dec 18 2018 at 05:03)</a>:</h4>
<p>Ok, should be fixed now.</p>



<a name="152086089"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152086089" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152086089">(Dec 18 2018 at 05:08)</a>:</h4>
<p>One interesting thing I discovered is that cloudflare will not cache HTML by default. Go figure.</p>



<a name="152086284"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152086284" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152086284">(Dec 18 2018 at 05:13)</a>:</h4>
<p>haha yeah we can probably get rid of Cloudflare if you have another way of provisioning a cert</p>



<a name="152086337"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152086337" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152086337">(Dec 18 2018 at 05:14)</a>:</h4>
<p>I was planning on moving off of it anyway, since the only reason I was using it was to get a TLS certificate</p>



<a name="152086340"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152086340" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152086340">(Dec 18 2018 at 05:14)</a>:</h4>
<p>but now GitHub has that integrated</p>



<a name="152086343"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152086343" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152086343">(Dec 18 2018 at 05:14)</a>:</h4>
<p>only problem with GitHub's implementation is no HSTS <span class="emoji emoji-1f622" title="cry">:cry:</span></p>



<a name="152088043"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152088043" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152088043">(Dec 18 2018 at 06:05)</a>:</h4>
<p>If you want to get rid of it, that's fine with me. I don't think it will ever get enough traffic to blow the free tier.</p>



<a name="152088170"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152088170" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152088170">(Dec 18 2018 at 06:08)</a>:</h4>
<p>Although now that I think about it, I don't know how to setup SSL for GCS without cloudflare.</p>



<a name="152088607"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152088607" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152088607">(Dec 18 2018 at 06:22)</a>:</h4>
<p>oh right you're doing it off gcs</p>



<a name="152088610"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152088610" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152088610">(Dec 18 2018 at 06:22)</a>:</h4>
<p>I believe they recently added built-in cert provisioning for their load balancers</p>



<a name="152088616"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152088616" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152088616">(Dec 18 2018 at 06:23)</a>:</h4>
<p>not sure about GCS itself</p>



<a name="152088617"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152088617" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152088617">(Dec 18 2018 at 06:23)</a>:</h4>
<p>I think it's just a Let's Encrypt integration</p>



<a name="152089872"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152089872" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152089872">(Dec 18 2018 at 07:00)</a>:</h4>
<p>just confirmed it's there</p>



<a name="152089883"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152089883" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152089883">(Dec 18 2018 at 07:00)</a>:</h4>
<p><a href="/user_uploads/4715/UEBORySTIH44wOVo05QGFnAr/Screen-Shot-2018-12-17-at-10.59.25-PM.png" target="_blank" title="Screen-Shot-2018-12-17-at-10.59.25-PM.png">Screen-Shot-2018-12-17-at-10.59.25-PM.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/UEBORySTIH44wOVo05QGFnAr/Screen-Shot-2018-12-17-at-10.59.25-PM.png" target="_blank" title="Screen-Shot-2018-12-17-at-10.59.25-PM.png"><img src="/user_uploads/4715/UEBORySTIH44wOVo05QGFnAr/Screen-Shot-2018-12-17-at-10.59.25-PM.png"></a></div>



<a name="152089909"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152089909" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152089909">(Dec 18 2018 at 07:01)</a>:</h4>
<p>so create a new external IP address, tell me that, then create an HTTPS load balancer which uses that address, has a Google-managed cert for <a href="http://crates.rustsec.org" target="_blank" title="http://crates.rustsec.org">crates.rustsec.org</a>, and point the backend at the GCS bucket</p>



<a name="152227552"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152227552" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152227552">(Dec 20 2018 at 01:47)</a>:</h4>
<p>Idea: use gitlab pages to publish the audit. It supports custom domains and also SSL by uploading a pub/private key pair. It's also free.</p>



<a name="152227559"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152227559" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152227559">(Dec 20 2018 at 01:47)</a>:</h4>
<p>I already have it working using the <a href="http://gitlab.io" target="_blank" title="http://gitlab.io">gitlab.io</a> subdomain: <a href="https://zachreizner.gitlab.io/crates-audit/" target="_blank" title="https://zachreizner.gitlab.io/crates-audit/">https://zachreizner.gitlab.io/crates-audit/</a></p>



<a name="152228527"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152228527" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152228527">(Dec 20 2018 at 02:11)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> wherever you want to host it is fine by me... just tell me where to point DNS</p>



<a name="152228537"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152228537" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152228537">(Dec 20 2018 at 02:12)</a>:</h4>
<p>do they natively support getting a Let's Encrypt cert for a custom subdomain like GitHub?</p>



<a name="152228576"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152228576" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152228576">(Dec 20 2018 at 02:12)</a>:</h4>
<p>because I'd really like to get rid of Cloudflare, heh</p>



<a name="152228585"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152228585" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152228585">(Dec 20 2018 at 02:12)</a>:</h4>
<p>(I have largely transitioned my other projects to using GitHub Pages integrated HTTPS support now)</p>



<a name="152228592"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152228592" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152228592">(Dec 20 2018 at 02:13)</a>:</h4>
<p>the only thing I don't like about them is their "Enforce HTTPS" option doesn't set HSTS</p>



<a name="152228597"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152228597" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152228597">(Dec 20 2018 at 02:13)</a>:</h4>
<p>(GitHub, that is)</p>



<a name="152229001"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/152229001" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#152229001">(Dec 20 2018 at 02:25)</a>:</h4>
<p>It seems they have no native support, but they at least have an official tutorial</p>



<a name="154457117"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154457117" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154457117">(Jan 05 2019 at 04:16)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> could you clarify how dependency resolution for crates-audit works? I see over 1000 crates marked as vulnerable at <a href="https://crates.rustsec.org/" target="_blank" title="https://crates.rustsec.org/">https://crates.rustsec.org/</a> and I find it hard to believe. Does it check that all versions that could potentially satisfy a dependency are vulnerable, or is it something else? Also, what of Cargo.lock where it's present?</p>



<a name="154457227"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154457227" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154457227">(Jan 05 2019 at 04:20)</a>:</h4>
<p>Also some false positives could be a side effect of <a href="https://github.com/RustSec/rustsec-crate/issues/51" target="_blank" title="https://github.com/RustSec/rustsec-crate/issues/51">https://github.com/RustSec/rustsec-crate/issues/51</a></p>



<a name="154464010"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154464010" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154464010">(Jan 05 2019 at 08:09)</a>:</h4>
<p>Cargo.lock files are not used at all.</p>



<a name="154464054"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154464054" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154464054">(Jan 05 2019 at 08:10)</a>:</h4>
<p>It will use the newest dependency possible that satisfies requirements.</p>



<a name="154472289"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154472289" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154472289">(Jan 05 2019 at 12:47)</a>:</h4>
<p>I am confused. At <a href="https://crates.rustsec.org/" target="_blank" title="https://crates.rustsec.org/">https://crates.rustsec.org/</a> <code>cargo-thanks</code> is marked vulnerable to RUSTSEC-2018-0003 and 2018-0010. One of those is a bug in SmallVec, but it does not depend on SmallVec directly. It also depends on the latest <code>clap</code> which is marked vulnerable to RUSTSEC-2018-0006; however, <code>cargo-thanks</code> is not marked vulnerable to RUSTSEC-2018-0006. I don't understand how is that possible.</p>



<a name="154472617"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154472617" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154472617">(Jan 05 2019 at 12:58)</a>:</h4>
<p>Another weird situation: <code>concurrent-hash-map</code> depends on crossbeam <code>^0.2.10</code> which should resolve to crossbeam version 0.2.12; however, it is somehow marked vulnerable to <a href="https://rustsec.org/advisories/RUSTSEC-2018-0009" target="_blank" title="https://rustsec.org/advisories/RUSTSEC-2018-0009">https://rustsec.org/advisories/RUSTSEC-2018-0009</a> which affects only much newer crossbeam.<br>
I don't think this can be explained by <a href="https://github.com/RustSec/rustsec-crate/issues/51" target="_blank" title="https://github.com/RustSec/rustsec-crate/issues/51">https://github.com/RustSec/rustsec-crate/issues/51</a> either because that vulnerability affects a separate crate that is not even present in the dependency chain for 0.2.x</p>



<a name="154482018"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154482018" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154482018">(Jan 05 2019 at 18:07)</a>:</h4>
<p>Oh yeah, looks like <a href="https://github.com/RustSec/rustsec-crate/issues/51" target="_blank" title="https://github.com/RustSec/rustsec-crate/issues/51">https://github.com/RustSec/rustsec-crate/issues/51</a> was an issue. Updating rustsec requirement from 0.9 to 0.10 in Cargo.toml has cut the number of affected crates from 1696 to 724</p>



<a name="154482225"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154482225" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154482225">(Jan 05 2019 at 18:14)</a>:</h4>
<p>I've tried to open a PR on GitLab to bump the version, but it keeps saying "An error accured whilst committing your changes."</p>



<a name="154489144"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154489144" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154489144">(Jan 05 2019 at 22:04)</a>:</h4>
<p>The situation with <code>cargo-thanks</code> not getting a vulnerability transitively from <code>clap</code> is actually correct. The relevant clap feature is not enabled. The fact that crates-audit takes Cargo features into account is a pleasant surprise.</p>



<a name="154489202"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154489202" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154489202">(Jan 05 2019 at 22:06)</a>:</h4>
<p>It does follow development-only dependencies though, and that's another source of false positives. I've opened an issue about that: <a href="https://gitlab.com/zachreizner/crates-audit/issues/4" target="_blank" title="https://gitlab.com/zachreizner/crates-audit/issues/4">https://gitlab.com/zachreizner/crates-audit/issues/4</a></p>



<a name="154490202"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154490202" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154490202">(Jan 05 2019 at 22:43)</a>:</h4>
<p>But ignoring those two sources of false positives, this works really, really well. I've just discovered a crate with 8000 downloads a month using OpenSSL bindings so ancient that it doesn't even check hostname when verifying certificates: <a href="https://github.com/Antti/rust-amqp" target="_blank" title="https://github.com/Antti/rust-amqp">https://github.com/Antti/rust-amqp</a></p>



<a name="154490807"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154490807" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154490807">(Jan 05 2019 at 23:03)</a>:</h4>
<p><a href="https://github.com/Antti/rust-amqp/pull/75" target="_blank" title="https://github.com/Antti/rust-amqp/pull/75">https://github.com/Antti/rust-amqp/pull/75</a></p>



<a name="154490854"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154490854" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154490854">(Jan 05 2019 at 23:04)</a>:</h4>
<p>Wow! That was fast! They actually have an issue on the bug tracker and a closed PR so I thought there was some fundamental reason why they're not upgrading.</p>



<a name="154490912"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154490912" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154490912">(Jan 05 2019 at 23:06)</a>:</h4>
<p>I didn't do much more than just bump the version and get  the tests passing, it's entirely possible there's some complexity I missed.</p>



<a name="154492994"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154492994" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154492994">(Jan 06 2019 at 00:19)</a>:</h4>
<p>I have just <a href="https://github.com/chyh1990/yaml-rust/pull/109#issuecomment-451696912" target="_blank" title="https://github.com/chyh1990/yaml-rust/pull/109#issuecomment-451696912">requested</a> backporting rust-yaml stack overflow fix based on crates-audit output</p>



<a name="154493109"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493109" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493109">(Jan 06 2019 at 00:23)</a>:</h4>
<p>Also I was kind of confused about what <code>crates-audit</code> does exactly. The shortest explanation I could come up with "It finds crates dependent on vulnerable library versions with no semver-compatible fix available".</p>



<a name="154493213"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493213" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493213">(Jan 06 2019 at 00:26)</a>:</h4>
<p>I would definitely like to see something like that on <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a>; normally this should not happen - all semver series actually in use should get the backport - but this would give visibility to issues in unmaintained crates</p>



<a name="154493235"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493235" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493235">(Jan 06 2019 at 00:28)</a>:</h4>
<p>Why are so many people using the old version of rust-yaml?</p>



<a name="154493271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493271">(Jan 06 2019 at 00:28)</a>:</h4>
<p>¯\_(ツ)_/¯</p>



<a name="154493287"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493287" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493287">(Jan 06 2019 at 00:29)</a>:</h4>
<p>It's 165 crates according to cargo-audit and half the download count according to <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a></p>



<a name="154493341"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493341" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493341">(Jan 06 2019 at 00:30)</a>:</h4>
<p>I wonder, do Rust compiled binaries contain data on what libraries went into making them? Probably not, but it would be so sweet if they did</p>



<a name="154493344"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493344" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493344">(Jan 06 2019 at 00:30)</a>:</h4>
<p>They don't. I wonder if it's possible to build a crate that does that... does the info exist in <code>build.rs</code>?</p>



<a name="154493397"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493397" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493397">(Jan 06 2019 at 00:32)</a>:</h4>
<p>If they did, you could just point an analyzer to a <em>compiled binary</em> and get it audited. And this would work for binaries deployed <em>anywhere in any way</em> and you wouldn't have to keep a matching Cargo.lock around and risk them being desynced</p>



<a name="154493443"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493443" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493443">(Jan 06 2019 at 00:34)</a>:</h4>
<p>Well, there is nothing preventing you from parsing Cargo.lock from <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> at any rate</p>



<a name="154493904"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493904" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493904">(Jan 06 2019 at 00:50)</a>:</h4>
<p>What about a embeddable crate that checked itself occasionally to see if it was using vulnerable crates?</p>



<a name="154493956"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493956" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493956">(Jan 06 2019 at 00:52)</a>:</h4>
<p>There are two problems with that: extra code size and the trouble with reaching the user to notify them.</p>



<a name="154493965"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154493965" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154493965">(Jan 06 2019 at 00:53)</a>:</h4>
<p>I'd rather have version info encoded in compiled binaries. It is small enough that we can make <em>all</em> Cargo-compiled binaries have it. Then you can run an analyzer manually or as a cronjob. The system is simple, transparent and it's clear how it will communicate with you in case it finds an issue</p>



<a name="154494006"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154494006" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154494006">(Jan 06 2019 at 00:54)</a>:</h4>
<p>That seems like a better alternative.</p>



<a name="154494008"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154494008" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154494008">(Jan 06 2019 at 00:54)</a>:</h4>
<p>Although I'm not sure how it would solves the communication issue.</p>



<a name="154494060"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154494060" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154494060">(Jan 06 2019 at 00:57)</a>:</h4>
<p>Well, if you're running it manually it just prints to stdout. And if you're setting up a cronjob you presumably set up alerting as well. The great thing about it is that since all the required data is already in the binary, anyone can audit it. Even if it's a weird thing like a docker container, both your cloud provider and docker container registry can run an audit and notify whoever has it running and image owner respectively</p>



<a name="154494069"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154494069" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154494069">(Jan 06 2019 at 00:57)</a>:</h4>
<p>I think Google Cloud already does security scans on Docker images, but it's limited to Linux distro packages right now</p>



<a name="154494110"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154494110" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154494110">(Jan 06 2019 at 00:58)</a>:</h4>
<p>So all you need to do as a user is simply check a checkbox</p>



<a name="154494126"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154494126" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154494126">(Jan 06 2019 at 00:59)</a>:</h4>
<p>According to <a href="https://doc.rust-lang.org/cargo/reference/build-scripts.html#case-study-code-generation" target="_blank" title="https://doc.rust-lang.org/cargo/reference/build-scripts.html#case-study-code-generation">the docs</a> injecting extra data into the binary should be pretty straightforward. Address Sanitizer settings encoded in the binary can be seen as prior art.</p>



<a name="154494288"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154494288" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154494288">(Jan 06 2019 at 01:04)</a>:</h4>
<p>I see what you mean.</p>



<a name="154494542"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154494542" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154494542">(Jan 06 2019 at 01:14)</a>:</h4>
<p>Also, thanks a lot for writing crates-audit. As you can see, I am enjoying it :)</p>



<a name="154494785"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154494785" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154494785">(Jan 06 2019 at 01:20)</a>:</h4>
<p>And it has already found two widespread issues that are not fixable by <code>cargo update</code>. That too.</p>



<a name="154524358"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154524358" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154524358">(Jan 06 2019 at 17:41)</a>:</h4>
<p>nice re: rust-amqp</p>



<a name="154524414"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154524414" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154524414">(Jan 06 2019 at 17:42)</a>:</h4>
<p>that reminds me, I should incorporate the changes the RustPräzi authors suggested</p>



<a name="154524416"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154524416" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154524416">(Jan 06 2019 at 17:42)</a>:</h4>
<p>into the <code>rustsec</code> crate and the advisory DB</p>



<a name="154524441"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154524441" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154524441">(Jan 06 2019 at 17:43)</a>:</h4>
<p>it's mostly making paths to vulnerable code generic over functions as well as types, and breaking them down version-by-version (e.g. if a vulnerable function was renamed at some point)</p>



<a name="154590364"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154590364" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154590364">(Jan 07 2019 at 18:43)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> is building on pre-1.31 Rust a hard requirement for <code>crates-audit</code>? My PR to upgrade it to <code>rustsec</code> crate that would fix the false positives fails CI because with 0.10 came a bump to 2018 edition</p>



<a name="154590595"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154590595" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154590595">(Jan 07 2019 at 18:46)</a>:</h4>
<p>Oh, I just saw your PR. Gitlab apparently does not notify me of events on my own repos by default!</p>



<a name="154590601"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154590601" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154590601">(Jan 07 2019 at 18:46)</a>:</h4>
<p>Taking a look now.</p>



<a name="154591724"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154591724" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154591724">(Jan 07 2019 at 19:00)</a>:</h4>
<p>Upgrading the CI to use 1.31 or whatever the latest rust is should always be fine with me.</p>



<a name="154591753"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154591753" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154591753">(Jan 07 2019 at 19:01)</a>:</h4>
<p>I commented on your PR on how to fix the pipeline in your branch so that I can merge it.</p>



<a name="154592233"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154592233" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154592233">(Jan 07 2019 at 19:08)</a>:</h4>
<p>Done. Thanks!</p>



<a name="154594345"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154594345" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154594345">(Jan 07 2019 at 19:34)</a>:</h4>
<p>Merged. It looks like it reduced the number of reported crates by 1000</p>



<a name="154595118"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/154595118" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#154595118">(Jan 07 2019 at 19:42)</a>:</h4>
<p>Yup, almost. 1696 to 724</p>



<a name="171332741"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171332741" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171332741">(Jul 20 2019 at 16:01)</a>:</h4>
<p>Is sorting things on <a href="https://crates.rustsec.org/" target="_blank" title="https://crates.rustsec.org/">https://crates.rustsec.org/</a> by download count on the TODO list already?</p>



<a name="171333101"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333101" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333101">(Jul 20 2019 at 16:13)</a>:</h4>
<p>Looks like right now the list of crates comes from the git repo, not the <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> API, so it'd require adding that</p>



<a name="171333141"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333141" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333141">(Jul 20 2019 at 16:14)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> that sounds good</p>



<a name="171333147"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333147" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333147">(Jul 20 2019 at 16:14)</a>:</h4>
<p>/me looks at his TODO list for the weekend and does this instead</p>



<a name="171333670"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333670" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333670">(Jul 20 2019 at 16:30)</a>:</h4>
<p>hahaha</p>



<a name="171333678"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333678" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333678">(Jul 20 2019 at 16:30)</a>:</h4>
<p>/me finally gonna try to play with rustembedded on PyPortal <span aria-label="smiley" class="emoji emoji-1f603" role="img" title="smiley">:smiley:</span></p>



<a name="171333684"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333684" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333684">(Jul 20 2019 at 16:30)</a>:</h4>
<p>they just got the ADC working so we can finally use the joystick</p>



<a name="171333830"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333830" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333830">(Jul 20 2019 at 16:35)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> actually I've found that the current representation is not very helpful. It would be way better to group the view by vulnerabilities and look at affected crate for each instead of looking at every crate in isolation and getting a list of vulnerabilities. This was my impression when I was using this to try to go and fix stuff last time there was no semver-compatible fix.</p>



<a name="171333903"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333903" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333903">(Jul 20 2019 at 16:37)</a>:</h4>
<p>I think probably two different views are required for different use cases -- if you're trying to work through the impact of one particular vuln, you want what you said, if you're just trying to clean up the ecosystem, starting from "most downloads" makes the most sense.</p>



<a name="171333971"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333971" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333971">(Jul 20 2019 at 16:39)</a>:</h4>
<p>I should ping the RustPräzi people again. I kept hoping they'd make a hosted version, but it seems it might've just been a (now abandoned) academic project <span aria-label="cry" class="emoji emoji-1f622" role="img" title="cry">:cry:</span></p>



<a name="171333974"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171333974" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171333974">(Jul 20 2019 at 16:39)</a>:</h4>
<p>as in <a href="https://github.com/praezi/rust" target="_blank" title="https://github.com/praezi/rust">https://github.com/praezi/rust</a></p>



<a name="171334459"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334459" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334459">(Jul 20 2019 at 16:54)</a>:</h4>
<p>Ok, here we go: <a href="https://gitlab.com/zachreizner/crates-audit/merge_requests/2" target="_blank" title="https://gitlab.com/zachreizner/crates-audit/merge_requests/2">https://gitlab.com/zachreizner/crates-audit/merge_requests/2</a></p>



<a name="171334528"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334528" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334528">(Jul 20 2019 at 16:57)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> do you have any thoughts about moving <code>crates-audit</code> under <a href="https://github.com/rust-secure-code/" target="_blank" title="https://github.com/rust-secure-code/">https://github.com/rust-secure-code/</a> ? I mainly ask because it's both cool but also has low-visibility / awareness</p>



<a name="171334575"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334575" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334575">(Jul 20 2019 at 16:58)</a>:</h4>
<p>I'd be in favor of that -- mostly because I'm lazy and having things in one place is convenient.</p>



<a name="171334592"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334592" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334592">(Jul 20 2019 at 16:59)</a>:</h4>
<p>Already one useful PR out of sorting these things: <a href="https://github.com/abonander/buf_redux/pull/13" target="_blank" title="https://github.com/abonander/buf_redux/pull/13">https://github.com/abonander/buf_redux/pull/13</a></p>



<a name="171334850"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334850" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334850">(Jul 20 2019 at 17:07)</a>:</h4>
<p>I would be fine with moving it, but the gitlab ci would have to be ported.</p>



<a name="171334853"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334853" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334853">(Jul 20 2019 at 17:07)</a>:</h4>
<p>I can help setup CI</p>



<a name="171334895"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334895" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334895">(Jul 20 2019 at 17:08)</a>:</h4>
<p>The CI is what actually does the audit.</p>



<a name="171334897"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334897" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334897">(Jul 20 2019 at 17:08)</a>:</h4>
<p>aah</p>



<a name="171334901"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334901" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334901">(Jul 20 2019 at 17:08)</a>:</h4>
<p>can you host the repo on GitHub but use GitLab CI?</p>



<a name="171334907"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334907" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334907">(Jul 20 2019 at 17:08)</a>:</h4>
<p>I haven't really used GitLab</p>



<a name="171334908"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334908" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334908">(Jul 20 2019 at 17:08)</a>:</h4>
<p>Also, I know we have that longstanding issue of moving off of cloudflare, which I think is used to serve the traffic from my Google cloud bucket more cheaply.</p>



<a name="171334913"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334913" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334913">(Jul 20 2019 at 17:09)</a>:</h4>
<p>Travis has the ability to do builds scheduled daily/weekly/monthly, that seems sufficient?</p>



<a name="171334916"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334916" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334916">(Jul 20 2019 at 17:09)</a>:</h4>
<p>yeah I'd love to migrate all of the (other) RustSec stuff to use GitHub Pages built-in HTTPS support</p>



<a name="171334919"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334919" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334919">(Jul 20 2019 at 17:09)</a>:</h4>
<p>yeah Travis is what we're using for some of the other projects</p>



<a name="171334921"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334921" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334921">(Jul 20 2019 at 17:09)</a>:</h4>
<p>well mostly RustSec</p>



<a name="171334973"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334973" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334973">(Jul 20 2019 at 17:10)</a>:</h4>
<p>Yeah. It should be sufficient</p>



<a name="171334986"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171334986" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171334986">(Jul 20 2019 at 17:11)</a>:</h4>
<p>I'm currently on vacation until Tuesday, but I can review patches in the mean time if anybody steps up.</p>



<a name="171335035"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335035" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335035">(Jul 20 2019 at 17:12)</a>:</h4>
<p>I can make a repo which you can push the existing code (possibly after merging some PRs) to whenever you're ready</p>



<a name="171335037"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335037" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335037">(Jul 20 2019 at 17:12)</a>:</h4>
<p>I guess one question is should it be <a href="https://github.com/rustsecurecode" target="_blank" title="https://github.com/rustsecurecode">https://github.com/rustsecurecode</a> or <a href="https://github.com/rustsec" target="_blank" title="https://github.com/rustsec">https://github.com/rustsec</a></p>



<a name="171335040"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335040" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335040">(Jul 20 2019 at 17:12)</a>:</h4>
<p>on second thought it feels a bit more like the latter</p>



<a name="171335098"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335098" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335098">(Jul 20 2019 at 17:14)</a>:</h4>
<p>Should go in the same place as cargo-audit and friends</p>



<a name="171335288"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335288" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335288">(Jul 20 2019 at 17:20)</a>:</h4>
<p>this is also reminding me I should add a second admin (or rather, third, as I gave <span class="user-mention" data-user-id="132362">@Joshua Liebow-Feeser</span> access) for RustSec</p>



<a name="171335435"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335435" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335435">(Jul 20 2019 at 17:25)</a>:</h4>
<p>This reminds me, I should finish my RFC for something like <a href="https://github.com/Shnatsel/rust-audit" target="_blank" title="https://github.com/Shnatsel/rust-audit">https://github.com/Shnatsel/rust-audit</a> in Cargo by default</p>



<a name="171335473"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335473" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335473">(Jul 20 2019 at 17:26)</a>:</h4>
<p>among a zillion other things</p>



<a name="171335620"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335620" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335620">(Jul 20 2019 at 17:30)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> I should also finally address your issue about taking the lockfile via stdin</p>



<a name="171335678"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335678" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335678">(Jul 20 2019 at 17:32)</a>:</h4>
<p>you have a few months before people start really actually needing it because there is no way my rfc is going to be merged in less than a month, let alone implemented</p>



<a name="171335694"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171335694" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171335694">(Jul 20 2019 at 17:33)</a>:</h4>
<p>I've opened this trivial thing a month ago and it's yet to be looked at by the libs team: <a href="https://github.com/rust-lang/rfcs/pull/2714" target="_blank" title="https://github.com/rust-lang/rfcs/pull/2714">https://github.com/rust-lang/rfcs/pull/2714</a></p>



<a name="171336008"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171336008" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171336008">(Jul 20 2019 at 17:43)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> is this your GitHub account? <a href="https://github.com/zachreizner" target="_blank" title="https://github.com/zachreizner">https://github.com/zachreizner</a></p>



<a name="171336126"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171336126" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171336126">(Jul 20 2019 at 17:46)</a>:</h4>
<p>Yes</p>



<a name="171336138"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171336138" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171336138">(Jul 20 2019 at 17:47)</a>:</h4>
<p>cool, sending you an invite</p>



<a name="171336184"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171336184" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171336184">(Jul 20 2019 at 17:48)</a>:</h4>
<p>sent, and here's an empty crates-audit repo: <a href="https://github.com/RustSec/crates-audit" target="_blank" title="https://github.com/RustSec/crates-audit">https://github.com/RustSec/crates-audit</a></p>



<a name="171336192"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171336192" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171336192">(Jul 20 2019 at 17:49)</a>:</h4>
<p>you (and <span class="user-mention" data-user-id="130046">@Alex Gaynor</span> and <span class="user-mention" data-user-id="127617">@Shnatsel</span> have admin access to it)</p>



<a name="171336203"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171336203" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171336203">(Jul 20 2019 at 17:49)</a>:</h4>
<p>This feels like a Google takeover of RustSec. 3 out of 5 people in there are employed by Google.</p>



<a name="171336325"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171336325" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171336325">(Jul 20 2019 at 17:52)</a>:</h4>
<p>hahaha</p>



<a name="171336328"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171336328" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171336328">(Jul 20 2019 at 17:52)</a>:</h4>
<p>eh, better than bus factor 1 <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="171336422"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171336422" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171336422">(Jul 20 2019 at 17:55)</a>:</h4>
<p>BBIAB</p>



<a name="171338015"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171338015" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171338015">(Jul 20 2019 at 18:43)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> speaking of rust-praezi: <a href="https://github.com/trailofbits/siderophile" target="_blank" title="https://github.com/trailofbits/siderophile">https://github.com/trailofbits/siderophile</a> also generates a call graph and actually exports it too</p>



<a name="171338589"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crates-audit/near/171338589" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crates-audit.html#171338589">(Jul 20 2019 at 19:00)</a>:</h4>
<p>the thing I liked about RustPräzi was it was built for a global analysis of all of <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a>. I saw that (I know several Trail o' Bits people via various blockchain stuff), but it looked more like an enhanced <code>cargo geiger</code> to me...</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>